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Qualys Scanner - VLAN Scanning Guide 


Qualys scanners support IEEE 802.1q VLAN tagging protocol. When connected to a suitably 
configured trunk port, VLAN scanning allows the scanner to tag frames with the target VLAN ID, 
enabling your switching fabric to move scan traffic across your network, and allowing the 
scanner to participate in the VLAN. Participation in the VLAN allows the scanner to scan devices 
in the same VLAN directly as a “neighbor”. This eliminates dependencies on Layer 3 devices, 


such as firewalls, load balancers, IDS/IPS and so forth. 


Benefits 


- A potential increase in overall scan performance 
by reducing the delays associated with transiting 
Layer 3 devices 


- Better OS and service fingerprinting since Layer 3 
devices often modify packet headers or change the 
handling of non-RFC compliant datagrams 


- Reduction of compute and other resources on 
Layer 3 devices particularly half open connection 
state tables 


- Reduction of “ghost host” issues due to 
inappropriate responses from Layer 3 devices to 
datagrams destined for unused NAT and VIP 
addresses 


Use of VLAN tagging does not preclude the 
simultaneous use non-VLAN tagged scan traffic on 
the same interface. Neither does it require the use 
of a dual-NIC configuration on the scanner. 


Requirements 
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- VLAN scanning must be enabled for your subscription. Please contact Support or your 


Technical Account Manager to enable this feature. 
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- The scanner must be connected to a trunk port. 
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- The trunk port must be configured to allow the necessary VLANs to the interface. 


Limitations 


Public/Private cloud provider distributions and offline scanner appliances do not support VLAN 
trunking. 


Physical scanners support up to 4094 IPv4 VLANs and up to 3270 IPv6 VLANs for devices with a 
serial number over 29000 and up to 99 VLANs for devices with a serial number under 29000. 


Virtual scanners (except public/private cloud provider and offline scanner images) support up to 
4094 IPv4 VLANs and up to 3270 IPv6 VLANs. 


For more information about the currently supported Virtual and Cloud platforms, see Qualys 
Virtual Scanner Appliance: Platform Qualification Matrix. 


Required VLAN Information 


The following information is required for each VLAN the scanner is configured to participate in: 


VLAN configuration on the appliance for network traffic: 


You'll define a single “native” VLAN on the appliance. This is required only if the appliance needs 
to reach the Qualys datacenter over a VLAN-tagged network segment. Both Static and DHCPv4 IP 
addresses are supported in this case. See Add native VLAN on the Appliance Console. 


VLAN configuration in the UI for scan traffic: 


You'll define VLANs in the Qualys UI for scan traffic only. The following information is required 
for each VLAN the scanner is configured to participate in. 


IP Address — The IP address must be unique per appliance. This means the same IP address 
cannot be defined in another VLAN configuration for the same appliance. For IPv4, only a static 
IPv4 address is supported. If your account is configured to allow IPv6, then you can provide a 
static IPv6é address or we can get the IPv6 address from SLAAC (RA). We do not support DHCPv4 
or DHCPv6 for UI-defined VLANs. 


Netmask — A valid netmask defining the subnet. Example: 255.255.255.0 
ID - A VLAN ID. You may specify a number between 0 and 4094, inclusive. The VLAN ID must be 
unique per appliance. This means the same VLAN ID cannot be defined in another VLAN 


configuration for the same appliance. 


Name - A VLAN name to identify the VLAN configuration in the VLANs list. 


Add native VLAN on the Appliance Console 


It is possible to configure a single (“native”) VLAN from the appliance console. This can be 
configured using the LCD panel (for a physical appliance) or virtual appliance console. 


“Note™ 
This VLAN cannot be viewed or edited within the user interface. 
This VLAN takes precedence if VLAN with the same tag is defined in the user interface. 


Qualys Scanner 2 


Configure VLANs in the UI 


These steps assume you have already deployed, connected and verified that the scanner 
appliance is operational. 


1) Configure the trunk port on the switch to allow the necessary VLANs. 


2) Log in to Qualys as a Manager, go to Scans > Appliances, select the appliance, and choose Edit 
from the Quick Actions menu. 


Choose the VLANs tab on the left. 
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Edit Scanner Appliance Launch Help x 
General Information 
VLANs 
Versions Edit the VLAN configuration for this scanner appliance. 
QNew | Heat | @ 
LAN Sotsags Pv4 Address IPv4 Netmask |Dy Name 
© 172.16.4.80 255.255.255.0 504 management VLAN 
Static Routes 
Comments 
1a m r 
canst 


4) Click New (or Edit to change existing VLAN information). Enter the IP address, subnet mask, 
ID, and a name for the new VLAN as shown below. When you have finished entering all the 
required VLAN information click Save. 


Edit Scanner Appliance LaunchHelp [al x 


Edit VLAN 


IP Address 
Netmask 


ID# 


Cancel 


Once configured the scanner will automatically use 802.1q VLAN tags for traffic matching a 
configured VLAN address and netmask. This will allow your switching fabric to move the traffic 
using Layer 2, enabling the scanner to scan targets in those subnets as a neighbor. Traffic for IPs 
not matching any of the configured VLANs will be sent via the default network interface and 
default gateway as per normal operations. 
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IPv6 Support for VLANs 


The IPv6é Scanning feature must be enabled for your account. Please contact Support 
or your Technical Account Manager if you would like have this feature turned on. 


You must enable IPv6 on the scanner to add IPv6 configurations. Select “Enable IPv6 
for this scanner” on the LAN Settings tab. 


Edit Scanner Appliance Launch Help x 


General Information 


LAN Settings 


Masine > Pwe Settings 


Enable IPV6 for this scanner 
LOR Senhas > Note: Select this option to configure IPv6 for LAN, VLANs and Static Routes. If you clear this option after saving IPv6 configurations for 


j LAN, VLANs and Static Routes, your IPv6 configurations will be deleted. 


Configure IPv6 Automatically E 


Address/Prefix 


Default Gateway 


On the VLANs tab you'll see IPv4 and IPv6 configurations that have been configured 
for the appliance. 


Edit Scanner Appliance Launch Help x 


General Information 
VLANs 


Versions Edit the VLAN configuration for this scanner appliance. 
Onew | È =) 


LAN Settings 
[E v4 Enabled IPv4 Address IPv4 Netmask IPv6 Enabled IPv6 Address St... IPv6 Address | Dy 


VLANs > ves 10.113.197.133 255.255.255.255 Yes Yes fe80::912e:21f6... 3 
Bl) Yes 10.10.10.11 255.255.255.255 No - - 2 


Static Routes E Yes 10.10.10.10 255.255.255.255 Yes Yes teB0::912e:21f6... 1 


When you create or edit a VLAN, click the Enable IPv4 option to add IPv4 details 
and click the Enable IPv6 option to add IPv6 details. You can choose to enable IPv4 
only, IPv6 only or both. 


Edit Scanner Appliance Launch Help x 


Edit VLAN 


Enable IPv4 
IPv4 Address 
IPv4 Netmask 
Enable IPv6 


Configure IPv6 Static x 


IPV6 Address fe80::912e:21f6:887e:fff2 164 


Note: Currently only "/64" is supported 
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Configure IPv6 Setting 


When you enable IPv6, you must choose Static or Automatically to define how you want to 
configure the IPv6 address. When you choose Static, you'll enter the static IPv6 address. When 
you choose Automatically, we’ll get the IPv6 address from the Stateless Address 
Autoconfiguration (SLAAC) via Router Advertisements (RA). Note that DHCPv6 is not supported. 


Edit Scanner Appliance Launch Help x 


Edit VLAN 


Enable IPv4 
IPv4 Address 


IPv4 Netmask 


Enable IPv6 


Configure IPv6 Automatically v 


IPv6 Address 


Note: Currently only "/64" is supported 
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